WannaCry Again with Petya?

By: Absolute Security | 6/27/2017

Another massive ransomware outbreak is on the move and it seems few are immune but many more could be…if they would stay up to date on patching.

In what appears to have started in Ukraine yesterday and then quickly spread throughout Europe and beyond, enterprises from virtually every industry are falling victim to another large scale ransomware attack. From oil refineries to banks, government agencies to ad agencies, no one is immune which often means one thing – the motivation is money.

Many researchers are connecting this attack to a family of ransomware known as Petya. Others are claiming that it’s “Not Petya” but an entirely new family of ransomware. In the interest of consistency, I’m just going to call it Petya going forward.

It’s still very early and researchers are still sorting out the details but it does look like Petya is leveraging ETERNALBLUE – the exploit WannaCry used in its global ransomware attack just 2 months ago. If ETERNALBLUE sounds familiar, it should. This particular exploit was included in the tools the ShadowBrokers stole from the NSA and leaked for every cybercriminal to use. The financial motivation here has yet to pay out substantially. Reportedly, the hackers are demanding $300 in Bitcoin ransom but they haven’t collected much, yet.

It also appears that Petya has some new tricks up its sleeve. It seems to be able to spread internally throughout victims’ network by using a custom tool very similar to the popular open source hacking tool Mimikatz, which extracts passwords from memory. It seems that if Petya can infect a PC with access to your domain administrator credentials, it will then be able to spread rapidly throughout your environment with reckless abandon.

It's (past) time to patch

In the midst of so many doom and gloom headlines today, there is a silver lining. If you updated your software with one patch in particular – MS17-010 - which was released on March 14 – you may be able to stop Petya. In May, when WannaCry hit, organizations were reminded to apply MS17-010 but we’re now seeing that warning fell on far too many deaf ears.

Just this month, Absolute, in partnership with Ponemon Institute, released the Cost of Insecure Endpoints Benchmark Study. A number of interesting findings rose to the surface but a few in particular come to mind now. Namely: 63% say they cannot monitor endpoint devices when they leave the corporate network and 53% say malware-infected endpoints have increased in the last 12 months. Out-of-date, unpatched or corrupted endpoint agents are the most common endpoint security gap today, more than half of the respondents say. And furthermore, 75% of respondents said they are not keeping up with software patching.

Endpoints – and in particular, dark endpoints – are an ever-increasing danger to organizations. Managing endpoint security and protecting data is both a global business performance issue and national security concern. There are many steps you should take to build an effective security strategy around managing your endpoints and the critical data residing on them. If you’re wondering where to begin with this challenge at your organization, I suggest you start today by applying MS17-010. Then make sure your endpoints are as up-to-date as possible on all other outstanding critical security fixes.

After that, it’s critical to create and test an effective endpoint backup strategy. Once you’re satisfied with that, you should consider a nuclear/apocalypse plan: what would you do if you couldn’t fix things? Do you have a standard image for users that you can restore from right away? If you can build the ability to react quickly and remediate hit systems right away, you will be ready for whatever else will come next.

And let’s be pragmatic: there will be something next.

Financial Services